A new Business Email Compromise (BEC) attack targeting high-level executives has been identified.
BEC campaigns are a form of phishing attack in which the cybercriminal impersonates a high-ranking member of an organisation, such as CEO or CFO, to obtain sensitive information from the employees at the company. These credentials, often login details or financial information, are then used for nefarious purposes.
The cybercriminals often hack the high-level executive’s email account through a targeted social engineering campaign, known as “spear phishing”. This email account is then used to send a fake email to employees, often requesting them to submit certain pieces of sensitive information through a link embedded in the email. As the email appears to be sent from such an important figure, employees are often quick to respond. The hacker then harvests this information for their use.
The recent BEC campaign attempts to gain access to Office 365 accounts of senior managers. The emails appear to have been sent from the CEO’s email account. Like many phishing emails, they contain a request that requires an urgent response from the recipient. This campaign urges employees to click an embedded link that will allow them to reschedule a cancelled board meeting via a Doodle poll. Employees that click the link are redirected to an Office 365 login page. The user is invited to enter their login credentials. The Office 365 login page is a spoof website, designed by the hacker behind the attack. The hacker can collect the login details once the user enters them into the fake site.
Although a well-crafted campaign, there are several tell-tale signs which indicate that the email was a spoof. The subject line in the emails was “New message: [Company Name] February in-person Board Mtg scheduling”. This strange use of capitalisation and abbreviations may have appeared suspicious to some recipients. Opening the message on a mobile device alters the sender’s name to “Note to Self”, inciting further suspicion. Clicking the link brings users to a web.core.windows.net domain. This is not the proper URL for a Doodle Poll. However, the emails bypassed Office 365 anti-spam controls.
The easiest way to avoid being misdirected to a fake website is not to follow the link embedded in an email. Instead, search for the website in question in a new tab, and log in through that link instead. If there is something wrong with your account, a notification appears on login. Furthermore, familiarising yourself with common phrases used in phishing emails (such as being addressed to “our valued customer” instead of your name/username) can help protect yourself against scams which have made it past the email filters.
This BEC scam highlights the importance of ensuring that all members of an organisation are aware of the dangers of phishing. Even high-level executives may be fooled. Regular cybersecurity training programs are critical in protecting an organisation against such attacks.